Gateway Rules

The assumption is that the FreeBSD Gateway is up and running properly, so the following comprises some extra rulesets for customisation of the /etc/ipnat.rules file. It also uses the example of a typical gateway joining two LANs as shown in the following diagram..

..and a basic ipnat.rules ruleset as illustrated here:

#Andys ipnat.rules file
#--------------------------------------------------------------------
# Do 'normal' IP address translation. This line will take all packets
# going out on your external NIC (rl0) that have a source address
# coming # from your internal network (192.168.1.0), and translate it
# to whatever # IP address your external NIC happens to have at that
# time
#--------------------------------------------------------------------
map rl0 192.168.0.0/24 -> 0/32
#--------------------------------------------------------------------
# If you have a system on your internal network that needs to be
# 'reachable' by external systems on the internet, you'll need a rule
# similar to the one below. This one takes all inbound http traffic
# (TCP port 80) that hits the firewall's external interface (rl0) and
# redirects it to port 80 on the 192.168.1.50 system on the internal
# network.
# Simply uncomment the rule, change the IP address and port number so
# that # it does what you need. Remember that you have to enable the
# corresponding # inbound filter in your /etc/ipf.rules file, too.
#--------------------------------------------------------------------
# rdr rl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp

Note that the internally facing network interface is referred to as fxp0 with a Class-C IP Address of 192.168.0.13 and the externally-facing interface is called rl0 with a Class-A IP Address of 10.147.86.63.

Your own interfaces and IP addressing scheme are likely to differ and will need to be modified accordingly.

However note that what is happening at the internal and external interface level will still be quite relevant.

As usual anything with a hash (#) in front of it is a remark only and will not be read by the script. Thus far we have only one unhashed line, which takes all traffic coming from the internally-facing rl0 interface, performs Network Address Translation (NAT) on all of the packets and then sends them on their way out through the externally-facing fxp0 network interface. This is explained in the top part of the script above.

Mapping Services to IP Addresses
Adding to or modifying the functioning of the gateway usually involves editing the /etc/ipnat.rules file. The following is a list of modifications I have added to my own gateway in order to map services coming from outside the gateway to the relevant system inside the Local Area Network (LAN).

Again note that although the two networks are referred to as trusted and untrusted, no security or firewall settings have been configured at this stage. This is purely a listing of rules contained within the /etc/ipnat.rules configuration file, in order to allow outside systems to access services behind the gateway.

These port forwarders will allow traffic through your gateway, possibly from unknown sources and it is strongly recommended you use firewalling rules to enforce security, once the gateway rules are running smoothly.

The process is basically one of creating a line which redirects anything coming in on the external network interface to the IP Address and port of the system on the inside of the network, which needs to be accessed. Remember there are thousands of possible ports (0-65535), each of which could be either tcp, udp or tcp/udp. Many services, especially games, use several ports at once.

If you're not sure of the correct port(s) for the required service, application or game, chuck it into a google search and use the example below to forward the requests to the right place.